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DETAILED ACTION 

1 . This action is in response to applicant's request filed on June 23, 2010 for reconsideration 
of the finality of the rejection of the last Office action and, therefore, the finality of that action is 
withdrawn. Prosecution is hereby reopened. New grounds of rejection are set forth below. 
Claims 2, 5, 15 and 16 are pending in the present application. 

Response to Arguments 

2. Applicant's arguments with respect to claims 2, 5, 15 and 16 have been considered but 
are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

3. The text of those sections of Title 35, U.S. Code not included in this action can be found 
in a prior Office action. 

4. Claim 2 is rejected under 35 U.S.C. 1 03(a) as being unpatentable over Henry et al., U.S. 
Patent Number 7,441,043 (hereinafter Henry) and in view of Yi, U.S. Patent Number 
6,813,715 (hereinafter Yi) and further in view of Burton et al., U.S. Patent Number 7,287,269 
(hereinafter Burton). 

Regarding claim 2, Henry teaches a mobile wireless terminal apparatus {e.g., a mobile 
network access device 200) in a mobile wireless communication system which has a public 
network (e.g., the Internet), a private network (e.g., corporate Intranet 218) and a public wireless 
LAN system (e.g., public WLAN 220) and comprises a virtual private network relay apparatus 
which establishes an IPsec tunnel (i.e., the virtual private network relay apparatus reads on the 
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secure mobility gateway for establishing a mobile IPsec tunnel when the mobile device 200 is 
connected to the corporate intranet via the Internet) with a network relay apparatus installed on 
the private network (e.g., a gateway identified as GW on the Intranet 218) via the public network 
(i.e., the Internet), further establishes the IPsec tunnel with the mobile wireless terminal 
apparatus (i.e., the network access device 200) and relays connection of the mobile wireless 
terminal apparatus (200) from the public wireless LAN system (220) to the private network (218) 
(see col. 5, lines 29-47, col. 18, lines 40-67 and fig. 2), a home agent that controls moving of the 
mobile wireless terminal apparatus (see col. 12, lines 17-20), a connection authentication server 
(e.g., a centralized authentication server such as a Radius server or AAA) that is installed on the 
public wireless LAN system and authenticates connection of the mobile wireless terminal 
apparatus to the public wireless LAN system, and a wireless LAN access point (e.g., an AP 
within public WLAN) that relays connection authentication procedures of the public wireless 
LAN performed between the mobile wireless terminal apparatus and the connection 
authentication server (see col. 7, lines 40-65 and fig. 2) the mobile wireless terminal apparatus 
comprising: 

an authentication processing section that performs authentication processing for 
connection to the public wireless LAN system and to the connection authentication server (i.e., 
the authenticating processing section reads on an IRC clien t installed on the mobile host 200, 
since the IRC client is responsible for authenticating the user or the user's computer and 
creating a secure wireless connection to authenticate the user to a corporate network) (see col. 
5, lines 32-47, col. 10, lines 60-67 and col. 14, lines 44-63); and 
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an address acquiring section that acquires an IP address of the virtual private network 
relay apparatus (e.g., obtaining an IP address of the SMG 's public interface IPsmg reads on an IP 
address of the virtual private network relay apparatus) when the connection to the public 
wireless LAN system is permitted (see col. 10, lines 60-67 and col. 17, lines 1-13); and 

an IPsec key exchanging section that performs an IPsec key exchange with the virtual 
private network relay apparatus (i.e., SMG) using the IP address of the virtual private network 
relay apparatus (i.e., reads on the teaching that the IRC client establishes an IPsec tunnel (IRC- 
SMG tunnel) between the user computer and the IPsec gateway using IKE (Internet Key 
Exchange) protocol, wherein the SMG is a special mobile IPsec gateway) (see col. 9, lines 54- 
56, col. 11, lines 14-38 and col. 12, lines 3-5, col. 18, lines 40-49). 

Henry fails to explicitly teach acquiring an IP address of the virtual private network relay 
apparatus from the connection authentication server : and an address notifying section that sends 
an IP address of the mobile wireless terminal apparatus to the virtual private network relay 
apparatus, via the connection authentication server . 

In an analogous field of endeavor, Yi teaches acquiring an IP address of a home gateway 
(i.e., reads on a virtual private network relay apparatus) from an authentication server unit (i.e., 
reads on a connection authentication server); and a user authentication client unit of a remote 
mobile apparatus (i.e., reads on a address notifying section) that sends user information (i.e., an 
IP address of the remote apparatus) to the home gateway, via the authentication server unit (see 
col. 4, lines 25-57 and col. 5, line 24 through col. 6, line 1 1). 

It would therefore have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Henry with Yi to include the feature of acquiring an IP address of the virtual 
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private network relay apparatus from the connection authentication server; and sending an IP 
address of the mobile wireless terminal apparatus to the virtual private network relay apparatus, 
via the connection authentication server, in order to establish a virtual network between an 
authenticated user and an internal network resource that the user wants to use as taught by Yi 
(see col. 3, lines 1-15). 

Henry in view of Yi fails to explicitly wherein the IPsec key exchange is performed by 
IPsec main mode. 

However an IPsec key exchange performed by IPsec main mode is very well known in 
the art as taught for example by Burton. 

In an analogous field of endeavor, Burton teaches an IPsec key exchange is performed by 
IPsec main mode to allow security peers to authenticate each other and to encrypt data 
transferred across an unsecured Ethernet using the keys generated from the IKE transactions (see 
col. 8, lines 13-44 and col. 9, lines 2-11). 

It would therefore have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Henry and Yi with the teachings of Burton to include the feature of 
performing an IPsec key exchange by IPsec main mode, in order to separate key exchange 
information from identity and authentication information to protect identity information during 
an authentication process as taught by Burton (see col. 2, lines 49-65 and col. 9, lines 3-11). 

5. Claims 5, 15 and 16 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Henry et al., U.S. Patent Number 7,441,043 (hereinafter Henry) and in view of Yi, U.S. 
Patent Number 6,813,715 (hereinafter Yi) and in view of Oyama et al., U.S. Publication 
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Number 2006/0185013 Al (hereinafter Oyama) and further in view of Burton et al., U.S. 
Patent Number 7,287,269 (hereinafter Burton). 

Regarding claims 5, 15 and 16, Henry teaches a mobile wireless terminal apparatus (e.g., 
a mobile network access device 200) in a mobile wireless communication system which has a 
public network {e.g., the Internet), a private network {e.g., corporate Intranet 218) and a public 
wireless LAN system {e.g., public WLAN 220) and comprises a virtual private network relay 
apparatus which establishes an IPsec tunnel {i.e., the virtual private network relay apparatus 
reads on the secure mobility gateway for establishing a mobile IPsec tunnel when the mobile 
device 200 is connected to the corporate intranet via the Internet) with a network relay apparatus 
installed on the private network {e.g., a gateway identified as GW on the Intranet 218) via the 
public network {i.e., the Internet), further establishes the IPsec tunnel with the mobile wireless 
terminal apparatus {i.e., the network access device 200) and relays connection of the mobile 
wireless terminal apparatus {200) from the public wireless LAN system {220) to the private 
network {218) (see col. 5, lines 29-47, col. 18, lines 40-67 and fig. 2), a home agent that controls 
movement of the mobile wireless terminal apparatus (see col. 12, lines 17-20), a connection 
authentication server {e.g., a centralized authentication server such as a Radius server or AAA) 
that is installed on the public wireless LAN system and authenticates connection of the mobile 
wireless terminal apparatus to the public wireless LAN system, and a wireless LAN access point 
{e.g., an AP within public WLAN) that relays connection authentication procedures of the public 
wireless LAN performed between the mobile wireless terminal apparatus and the connection 
authentication server (see col. 7, lines 40-65 and fig. 2), the mobile wireless terminal apparatus 
comprising: 
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an authentication processing section that performs authentication processing for 
connection to the public wireless LAN system and to the connection authentication server (i.e., 
the authenticating processing section reads on an IRC client installed on the mobile host 200, 
since the IRC client is responsible for authenticating the user or the user's computer and 
creating a secure wireless connection to authenticate the user to a corporate network) (see col. 
5, lines 32-47, col. 10, lines 60-67 and col. 14, lines 44-63); and 

an address acquiring section that acquires an IP address of the virtual private network 
relay apparatus (e.g., obtaining an IP address of the SMG 's public interface IPsmg reads on an IP 
address of the virtual private network relay apparatus) when the connection to the public 
wireless LAN system is permitted (see col. 10, lines 60-67 and col. 17, lines 1-13). 

Henry fails to explicitly teach acquiring an IP address of the virtual private network relay 
apparatus from the connection authentication server : and an address notifying section that sends 
an IP address of the mobile wireless terminal apparatus to the virtual private network relay 
apparatus, via the connection authentication server . 

In an analogous field of endeavor, Yi teaches acquiring an IP address of a home gateway 
(i.e., reads on a virtual private network relay apparatus) from an authentication server unit (i.e., 
reads on a connection authentication server); and a user authentication client unit of a remote 
mobile apparatus (i.e., reads on a address notifying section) that sends user information (i.e., an 
IP address of the remote apparatus) to the home gateway, via the authentication server unit (see 
col. 4, lines 25-57 and col. 5, line 24 through col. 6, line 1 1). 

It would therefore have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Henry with Yi to include the feature of acquiring an IP address of the virtual 
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private network relay apparatus from the connection authentication server; and sending an IP 
address of the mobile wireless terminal apparatus to the virtual private network relay apparatus, 
via the connection authentication server, in order to establish a virtual network between an 
authenticated user and an internal network resource that the user wants to use as taught by Yi 
(see col. 3, lines 1-15). 

Henry in view of Yi fails to explicitly teach an IPsec shared key acquiring section that 
acquires an IPsec pre-shared secret key from the connection authentication server for use in an 
IPsec key exchange performed with the virtual private network relay apparatus; an MIP shared 
key acquiring section that acquires an MIP pre-shared secret key from the connection 
authentication server for use in mobile IP registration made with the home agent; an IPsec key 
exchanging section that performs exchange of the IPsec key with the virtual private network 
relay apparatus using the IPsec pre-shared secret key; and an MIP registering section that 
initiates the mobile IP registration to the home agent using the MIP pre-shared secret key. 

In an analogous field of endeavor, Oyama teaches utilizing an Authorizing, 
Authentication, Accounting (AAA) server to transfer HMIPv6-related information required for 
authenticating and authorization a mobile node for HMIPv6 service over the AAA infrastructure 
(see abstract). For example, Oyama teaches a mobile node (MN) acquires an IPsec shared key 
for use in an IPsec key exchange performed with a Mobility Anchor Point (MAP) (i.e., reads on 
a virtual private network relay apparatus) from an AAA server (see p. 8 [01 15, 01 17 & 0119]). 
Oyama, further teaches the mobile node (MN) acquires a pre-shared secret key for use in mobile 
IP registration (i.e., requesting to be authenticated and given MIPv6 service) made with a home 
agent (HA) from an AAA server (see p. 8 [0130, 0132 & 0134]). 
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It would therefore have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Henry and Yi with the teachings of Oyama to include a mobile wireless 
terminal apparatus acquiring an IPsec pre-shared secret key for mobile IP registration to a home 
agent, in order to efficiently transfer information for authenticating and authorizing a mobile 
node requesting mobile IP related services over an AAA infrastructure to secure pertinent 
communication as taught by Oyama (see p. 3 [0033, 0035, 0038 & 0060]). 

The combination of Henry, Yi and Oyama fails to explicitly teach wherein the IPsec key 
exchange is performed by IPsec main mode. 

However an IPsec key exchange performed by IPsec main mode is very well known in 
the art as taught for example by Burton. 

In an analogous field of endeavor, Burton teaches an IPsec key exchange is performed by 
IPsec main mode to allow security peers to authenticate each other and to encrypt data 
transferred across an unsecured Ethernet using the keys generated from the IKE transactions (see 
col. 8, lines 13-44 and col. 9, lines 2-11). 

It would therefore have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Henry, Yi and Oyama with the teachings of Burton to include the feature of 
performing an IPsec key exchange by IPsec main mode, in order to separate key exchange 
information from identity and authentication information to protect identity information during 
an authentication process as taught by Burton (see col. 2, lines 49-65 and col. 9, lines 3-11). 
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Conclusion 

6. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

Kakemizu et al, U.S. Patent Number 7,068,640 discloses VPN system in mobile IP 
network and method of setting VPN. 

Mukherjee et al, U.S. Patent Number 7,478,427 discloses method and apparatus for 
providing adaptive VPN to enable different security levels in virtual private networks (VPNS). 

Van Ackere et al, U.S. Patent Number 7,624,429 discloses method, a network access 
server, an authentication -authorization-and-accounting server, and a computer software product 
for proxying user authentication-authorization-and-accounting messages via a network access 
server. 

7. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to ANTHONY S. ADDY whose telephone number is (571)272- 
7795. The examiner can normally be reached on Mon-Thur 8:00am-6:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Patrick Edouard can be reached on 571-272-7603. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
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system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Anthony S Addy/ 
Examiner, Art Unit 2617 



